Direct Pay Core

Core payment engine for the Direct Pay (S2S) SDK. This package contains all the shared logic for server-to-server payment integration with 3D Secure support.

This package is not intended to be used directly by host apps. Use a branded wrapper instead (e.g., rd_direct_pay).

Features

  • Single entry-point API via DirectPayService.processPayment()
  • SHA-512 hash generation and response verification (constant-time comparison)
  • Built-in 3D Secure challenge flow via WebView
  • Debug-only structured logging with configurable log levels
  • Inherits host app ThemeData / ColorScheme — no hard-coded styles

Architecture

direct_pay_core/lib/
├── direct_pay_core.dart     # Public barrel file
└── src/
    ├── config/              # DirectPayConfig
    ├── core/                # Logger
    ├── data/
    │   ├── api/             # Endpoints, PaymentApi (Dio)
    │   └── models/          # DirectPayRequest, DirectPayResponse (freezed)
    ├── domain/              # HashService, DirectPayService
    └── presentation/        # 3DS capture screen & widgets

Creating a Branded Wrapper

Create a thin package that depends on direct_pay_core:

# my_brand_direct_pay/pubspec.yaml
name: my_brand_direct_pay
dependencies:
  direct_pay_core: ^0.0.1

// my_brand_direct_pay/lib/my_brand_direct_pay.dart
library;

export 'package:direct_pay_core/direct_pay_core.dart'
    show DirectPayRequest, DirectPayResponse, DirectPayService, DirectPayLogLevel;

import 'package:direct_pay_core/direct_pay_core.dart';

class MyBrandDirectPay {
  static void init({
    required String appId,
    required String merchantKey,
    String baseUrl = 'https://gateway.mybrand.com',
    String? returnUrl,
    DirectPayLogLevel? logLevel,
  }) {
    DirectPayConfig.init(
      appId: appId,
      merchantKey: merchantKey,
      baseUrl: baseUrl,
      returnUrl: returnUrl,
      logLevel: logLevel,
    );
  }
}

Security

  • HTTPS enforced via runtime check on baseUrl
  • No secrets logged — hash inputs are never printed
  • Sensitive card data masked in debug logs
  • Constant-time hash comparison to prevent timing attacks
  • WebView denies all permission requests by default

Requirements

  • Flutter >= 3.0.0
  • Dart SDK >= 3.0.0 < 4.0.0

License

MIT — see LICENSE.

Libraries

direct_pay_core
Direct Pay Core — shared payment engine for branded Direct Pay SDKs.